HIPAA Minute FAQs
Brought to you by:
MSNJ worked with Helen Oscislawski, Esq. to produce two-minute videos on the HIPAA changes due to the Final Omnibus Rule. View the introductory video: "Intro to 'A HIPAA Minute' Web Series".
Does a Physician Practice have to comply with HIPAA?
Yes. Most physician practices must comply with HIPAA. One exception includes physicians who do not engage in ‘HIPAA Transactions,’ no matter what the size of the practice. To learn more about HIPAA Transactions, and whether your practice must comply with HIPAA, please go to: Part 1: HIPAA Applicability.
What is ‘HITECH’ and ‘Omnibus’?
HITECH stands for the Health Information Technology for Economic and Clinical Health Act and is a federal law which was passed in February 2009. Since 2009, Health and Human Services has issued many interim rules and regulations based on HITECH. OMNIBUS, released in January 2013, is the final version of those rules, and will go into effect on September 23, 2013. HITECH changed several areas of the HIPAA Privacy Rule and the September 23, 2013 effective date is also the date by which physicians must complete all their HIPAA revisions. To learn more about HITECH and OMNIBUS, and what revisions are required, please go to: Part 2: HITECH Omnibus.
If a physician accidentally sends, faxes, or e-mails patient information to the wrong place, is that a ‘Breach’ which has to be reported to the affected patient?
According to the HITECH amendments, any time that patient information is disclosed to a third party, who does not have authorization to obtain that patient information, it should be considered a breach. However, HITECH allows physicians to assess each situation and determine how likely it was that the information was actually compromised. Learn more about breach assessment by going to: Part 3: Breaches: Presumption of Breach.
May a physician still collect family medical histories, or is this now prohibited by the HIPAA amendments?
The simple answer is no; it is not prohibited. The HIPAA prohibition many physicians believe applies to them only refers to genetic information used by healthcare plans for underwriting. However, there are still guidelines one must follow when dealing with ‘genetic information.’ You can learn more about genetic information and your obligations regarding a patient’s family history by going to: Part 4: PHI: Genetic Info.
If I license EMR software from a vendor, do I have to have a HIPAA Business Associate Agreement in place with that company?
It really depends on what the vendor’s role is. Can your vendor access EMRs when doing maintenance and updates? Are they storing any patient information for you? Under HITECH, there are new regulations for Business Associate agreements, and you should make sure you are using updated forms. You can learn more about when you need Business Associate agreements and when the new regulations will apply by going to: Part 5: Business Associates: Who is a BA?
Do I need to get the parent’s signed HIPAA authorization to release immunization records to a child’s school?
No. The HITECH amendments to HIPAA remove the obligation to obtain a signed HIPAA authorization. Note that this only applies to schools, and not to other locations like summer camps or sports. For more information, see: Part 6: Public Health: Immunization Records.
Do I have to give patients an electronic copy of their information, and who pays for that?
Yes. Patients have a legal right to receive an electronic copy of their health information if such information is already electronically available. If the information is not electronically available, then there is no obligation to format it. To learn more, including the methods of transmitting electronic health information, please go to: Part 7: Patient Rights - Access.
If a patients asks me to not send their health information to the payor, do I have to comply with this?
Yes. However, this only applies if the patient has paid in full and out of pocket. If so, the patient can request that the information be withheld from the payor. The physician then needs to make a notation that the information is restricted, but need not insure that third parties do not release this information to the payor. Details can be found at: Part 8: Patient Rights: Request for Restriction.
If I simply do nothing to comply with HIPAA, does this really pose any tangible risk?
Yes, definitely. A physician that willfully does nothing to comply with HIPAA could face a variety of penalties up to 1.5 million dollars. Additionally, the government is now required to investigate and assess penalties; before they had discretion. HIPAA has been tightened in terms of restrictions in other ways as well. Additional information can be found here: Part 9: Enforcement.
After I update my HIPAA Notice of Privacy Practices for the HITECH amendments, do I have to send an updated copy to every patient?
No. Physicians do not have to send a copy to every patient. This only applies to health plans. Details regarding the confusion surrounding this issue are located at: Part 10: Patient Rights: Notice of Privacy Practices.
About the presenter: